Introduction to Webmin users, groups and permissions

A standard, out-of-the-box Webmin installation has only one user (called root or admin) who can use every feature of every module. On a home or office system used by just one person, that is all you need. Even if your system has multiple users, there may be only one who needed to perform system administration tasks.

However, there are many situations in which the administrator may want to give some people access to a subset of Webmin's features. For example, you may have a person in your organization whose job it is to create and edit DNS zones and records. On a normal Unix system, this person would have to be given root access so that he can edit the zone files and re-start the DNS server when necessary. Unfortunately, once someone is able to login as root he has full control of the system and can do whatever he wants.

Webmin solves this kind of problem by allowing you to create additional users who can login, but only access a few modules. You can further restrict what the user can do within each module, so that he cannot abuse its features to perform actions that he is not supposed to. Because Webmin still runs with full root privileges even when used by a restricted user, it still has access to all the configuration files and commands that it needs.

Some examples of the kind of access control restrictions that you can set up are :

Creating a user with the right to edit directives in only a few Apache virtual servers that he owns. Global settings or directives in other virtual hosts cannot be edited.

Giving a user the rights to edit and create Unix users with UIDs within a certain range and with home directories under a restricted directory. Important system users such as root or bin cannot be edited or even viewed.

Allowing a user access to only one MySQL database, but not to other databases or user permissions. Similar access control can be set up for PostgreSQL.

Giving a user access to the Squid access control list, but not to other functions. The user could be allowed to apply his configuration changes, but not to start or stop the proxy server.

Creating custom commands and then giving a user the rights to run only some of them, but not create or edit any.

Allowing a user to view and cancel print jobs in the Printer Administration module, but not edit or create actual printers.

Many of these rights would be impossible to grant using command-line tools without giving root access to the entire system. Even programs like sudo are limited when it comes to allowing a user to edit only part of a file, or run a command with only certain arguments.

You must be very careful when granting access to un-trusted Webmin users though, as even a small mistake in the access control configuration may allow the user to edit arbitrary files on your system or run commands as root. All it takes is a small hole for an attacker to sneak through and take total control of your system. Webmin's access control capabilities give you the power to lock down users, but only if used properly.

Even though it is possible to create a user with access to only his own email, home directory and password, Webmin is not always the best way to provide this kind of single-user web interface. A superior program is Usermin, which was developed by the same author and shares much of the Webmin code and user interface. It is designed to give each Unix user access to only those things that he would be able to access at the command line, such as his email, home directory files and GNUPG configuration. Usermin runs most of its code with the permissions of the logged-in user, so there is far less chance of a user doing things that he is not supposed to, or even gaining root access. See Usermin Configuration for more details on how you can manage Usermin from within Webmin.

The Webmin Users module

If you want to create, edit or grant permissions to a Webmin user or group, it must be done in this module. When you enter it from the Webmin category, the main page displays all users and groups on your system and the modules that they have access to, as shown in the image below. If a user is a member of a group, his membership and only those modules that did not come from the group will be shown.

The Webmin Users module

On a normal Webmin system, only the root or admin user that you login as will appear, which access to all modules that are supported on your operating system.

Creating a new Webmin user

If you want to create a new user who can login to Webmin, possibly with limited privileges, it must be created in this module. The steps to do this are:

On the module's main page, click on the *Create a new Webmin user* link above or below the list of existing users. This will bring up the creation form shown in Figure 52-2.

Enter a login name into the Username field. The name cannot be already in use by any other user or group.

To make the user a part of a group, select it from the *Member of group* field. Any modules that the group has will be granted to the user in addition to modules that you select on this page, and any access control restrictions that apply to the group in those modules will apply to the user as well. See the *Creating and editing Webmin groups* section for more information on how to add new groups to the list.

To give the user a normal password, select Set to from the menu in the Password field and enter it into the adjacent field. If the new user has the same name as a Unix user, you can select Unix authentication instead to have Webmin use PAM or read the /etc/shadow file to validate the user. To prevent the user from logging in at all, select No password accepted. This might be a good idea when creating a user who will have limited privileges, so that he cannot login until you have finished restricting his access.

To have Webmin use a different language for the user than the global default, select one from the Language field menu.

In most themes, module icons on Webmin's main page are displayed under categories. If this new user is going to be granted access to only a few modules, this is not really necessary and so you can change the Categorize modules? field to No.

To have the Webmin user interface displayed using a different theme for the user, set it in the Personal theme field.

To limit the addresses from which the new user can login to Webmin, change the IP access control field to *Only allow listed addresses*. Then fill in the text box next to it with hostnames, IP addresses, network/netmask pairs or wildcard hostnames (like *.foo.com). Note that these restrictions are checked only after any global IP access control set in the Webmin Configuration module have been passed.

Select all the modules that you want the user to have access to in the Modules section.

When done, click the Save button to have the new user created. You will be returned to the module's main page, and he will be able to login immediately.

To further restrict what the new user can do in each module that you have granted him access to, see the *Editing module access control* section below.

Creating a new Webmin user

You can speed up the process of creating a new user who has the same attributes and access permissions as an existing user by using the module's cloning feature. To clone a user, the steps to follow are:

Click on the username of the existing user that you want to clone on the module's main page.

Click on the Clone button at the bottom of the editing form. This will take you to the creation form shown in Figure 52-2, but with most fields already filled in with the attributes of the original user.

Fill in the Username field and set the Password, as they do not get copied from the cloned user. You can also adjust the values in any of the other fields.

When done, click the Create button. The new user will receive a copy of all module access control settings from the original user, but they will not be updated if the original user is changed in future.

If you want to create many users with access to the same modules and the same access control settings, it is better to create a group and assign the users to it. That way you can change the settings for all members at once by just editing the group.

Editing a Webmin user

You can change the username, password, language or any other attribute of a Webmin user (including the one you are logged in as) using this module. To edit a user, the steps to follow are:

Click on his username on the module's main page. This will bring you to an editing form, similar to the one shown in the image above.

By default, the password will be left unchanged. To edit it, select Set to *from the *Password field menu and enter a new password into the field next to it.

Change any of the other fields on the form, as explained in the Creating a new Webmin user section. You can even move the user to another group, which will cause him to lose access to all modules in the original group and gain access to those in the new group. If you are editing yourself, Webmin will not allow you to take away access to the Webmin Users module. This is to protect you from locking yourself out of the module and not being able to grant yourself access back again.

When you are done, click the Save button to have the changes applied immediately. If the username or password was changed and the user is currently logged in and Webmin is not in session authentication mode, he will have to login again.

You can delete a user by clicking the Delete button at the bottom of the editing form, which will also take effect immediately. Webmin will not allow you to delete yourself though.

Editing module access control

Many Webmin modules allow you to further restrict the actions that each user can perform using them. The actual access control options are different for each module, and are documented in detail in the Module access control section of the page that covers it. This section only describes the common process that you need to follow to configure what a user (or group) can do with a particular module:

On the Webmin Users main page, find the user or group that you want to restrict and click on the name of the module next to his name that you want to edit the restrictions for. This will bring up the access control editing form, an example of which is shown in the image below. That screenshot is from the Users and Groups module, so if you select a different module the available options will not be the same.

To stop the user from changing the module's configuration, set the Can edit module configuration? field to No. This should always be done, as in most modules the configuration settings could be changed to allow the user to gain root access or otherwise escape the access control restrictions that you have set up.

Change other options on the form to restrict the user in whatever way you wish. Each module covered in this book has a section in its chapter that explains exactly what the fields mean, and gives examples of how to set up common types of access control.

Click the Save button to make your changes immediately active and return to the module's main page.

The module access control form for Users and Groups

Not all modules allow you to limit what a user can do, as it would not make any sense. For example, the Software Packages module does not allow access control restrictions to be configured. Its primary purpose is the installation of new packages, and any user with the rights to install a package could build and install his own that gives him root access. In modules like these, only the Can edit module configuration? option appears on the access control form. For modules that have no options other than this, there is no Module access control section in their chapter of the book.

At the start of the list of modules next to every user is an entry called Global ACL. If you click on this, it will take you to an
access control form that allows the editing of restrictions that apply in all modules. The fields and their meanings are:

Root directory for file chooser There are many fields in Webmin for entering a file or directory name, and next to most of them is a button that pops up a simple fill chooser window. Users will not be able to use this file chooser to list directories outside whatever path you enter into this field. By default, it is set to / so that the entire filesystem can be browsed. This option only controls which directories can be browsed using the file chooser. A user can still enter ANY path into a filename field manually, unless the module has its own access control restrictions.

Users visible in user chooser In most Webmin modules when a username field is displayed, next to it is a button that pops up a window for selecting either a single or multiple users. This option allows you to control which users appear in that pop-up window, so that a particular Webmin user cannot see all of the Unix users on your system. This access control option does nothing to stop the user from manually entering any username that he chooses - it just limits that list the appears in the pop-up window.

Groups visible in group chooser This option works in exactly the same way as the one above, but applies to the pop-up group selection window instead.

Can send feedback email? When using the Webmin theme that is enabled by default, a Feedback button appears on every page in the upper-right corner. Changing this option to No will remove the button, while changing it to Yes, but not with config files will prevent the user from sending feedback with the Include module configuration in email option selected. Because all feedback goes to the author of Webmin by default, disabling it makes sense for users other than the master administrator.

Can accept RPC calls? Webmin has its own RPC (remote procedure call) mechanism that is used by the cluster modules, System and Server Status and others modules. Any client program that makes an RPC call to a Webmin server must first login as a normal user using a web browser client would. However, an RPC client can access all of the features of Webmin, edit arbitrary files and execute commands as root - regardless of any access control settings. For this reason, users without full access to Webmin should have this option set to No. The default is Only for root or admin, which means that only if the user is called root or admin can it be used to login for RPC. Because the root and admin users typically have full access to Webmin anyway, this is not a security problem. However, if you create a new user with one of these two names and grant him only limited Webmin access, make sure this option is set to No.

For almost all Webmin users, even those that are granted only limited access to some modules, the default Global ACL options will work fine and do not need to be changed.

Creating and editing Webmin groups

If you want to create a large number of users who will all have access to the same modules with the same access control options, the best solution is to create a Webmin group. Like users, groups have access to a subset of the available Webmin modules and have access control permissions in those modules. If you change the available modules or permissions for a group, those of all member users will change as well.

A group can itself be a member of another group, which it will inherit all allowed modules and access control settings from. If parent group is changed in any way, those changes will flow through to all member groups and their member users. There is no limit to the number of levels of group nesting that you can create.

To create a new group, the steps to follow are:

On the Webmin Users module main page, click on the *Create a new Webmin group* link near the bottom of the page under the Webmin Groups section. This will take you to the group creation form shown in Figure 52-4.

Fill in the Group name field with a unique name that is not used by any other existing user or group.

To make this new group a member of an existing one, select it from the Member of group menu.

Select all the modules that you want members of this group to have access to from the Members' modules list. Those from any parent group will be automatically included.

Click the Save button to have the new group created, and your browser returned to the module's main page.

Configure access control settings for members of the group by clicking on module names next to the group name on the main page, as described in the Editing module access control section above.

You can now create new Webmin users or edit existing ones to become members of the new group.

The Webmin group creation form

Once a group has been created, it can be edited by clicking on its name from the table under Webmin Groups on the module's main page. This will take you to the group editing form on which you can change any of its attributes, before applying them with the Save button. Or you can delete the group altogether with the Delete button, as long as it does not have any member users or groups.

Requesting a client SSL key

Normally, users authenticate themselves to Webmin with a username and password. However, if you are running in SSL mode and using a modern browser like IE or Netscape, it is possible to set up Webmin to authenticate you via a client-side SSL key instead. Usually an SSL web server sends its certificate to the client for authentication purposes, but the protocol also allows clients to send their certificates to the server as well.

The advantage of this method are that there is no need to remember a username and password any more, and that the old method of authentication can be disabled so that only clients with the SSL key can connect. Attackers thus cannot break in by guessing your password, or looking over your shoulder as you type it. Some browsers even support the storage of SSL keys on removable smart cards, which is even more secure.

Before a client key can be issued, Webmin must be switched to SSL mode and a certificate authority key generated. Both these subjects are covered in chapter 51. Once this is done, the steps to request a key are:

Login to Webmin as the user that you want to create a key for, using the browser that the key should be stored in. Browsers keep a list of client-side keys, usually protected by some password that must be entered only once when a key is first needed. It is usually possible to export keys to another browser of the same type though.

Go to the Webmin Users module, and click on the *Request an SSL Certificate* icon at the bottom of the page.

The form that appears will be different depending on whether you are running IE or Netscape. The following instructions apply to Netscape and Mozilla, as they are the most common browsers on Unix systems.

Enter a name into the Your name field, such as Joe Bloggs.

Enter your email address into the Email address field, such as joe@example.com.

If your Webmin system is on a company or organization network, will in the Department and Organization fields. Otherwise, they can be left blank.

Enter the state your system is in into the State field, such as California.

Enter a two letter country code like US into the *Country code* field.

From the Key size menu select the number of bits in the SSL key that will be created. The higher the number, the more secure, but the longer it will take to be authenticated. 1024 bits should be secure enough for anyone.

Click on the Issue Certificate button. Your browser should pop up a window showing the key generating progress, which is done on the client system. When it is complete and have been send back to Webmin, a success page will be displayed.

Click on the pick up your certificate link to store the newly generated and signed key in your browser. You may be asked by the browser for a password to secure your certificates.

To test that everything worked, logout of Webmin and quit your browser. The re-run it and attempt to connect, the login page should be bypassed, and the main menu displayed. The text SSL certified should appear next to your username in the browser's status bar.

Once SSL client authentication is working, you may no longer want clients to be able to login as this Webmin user with a username and password. To enforce this, go to the Webmin Users module, click on your username, select No password accepted from the Password menu and hit Save.

Viewing and disconnecting login sessions

When Webmin is in session authentication mode (as it is by default), it keeps track of all currently logged-in users. You can view this information and cancel sessions that seem to be invalid by following these steps:

Click on the View Login Sessions icon at the bottom of the Webmin Users module main page.

On the page that appears, the ID, login name and connection time of each active session will be listed, with the newest shown first. It is quite possible for several sessions to exist for the same user, as many people do not bother to properly logout of Webmin. However, old sessions will be automatically removed after 1 week.

To view the actions performed in some session, click on the View logs link in the last column. This will take you to a list of actions in the Webmin Actions Log module.

To cancel a session, click on its ID. This will immediately log the user out, but will not kill any CGI programs that Webmin is currently running for him.

Module access control

Interestingly, the Webmin Users module has its own set of access control options that can be used to determine which other users a particular Webmin user can edit. This is typically used to give a sub-administrator user the rights to create and edit only a subset of Webmin users, and to grant them access to only a few modules. To set up this kind of access, the steps to follow are:

In the Webmin Users module, click on Webmin Users next to the name of the sub-administrator you want to restrict.

Change Can edit module configuration? to No.

Set the Users who can be edited option to Selected users, and choose those accounts that you want the sub-administrator to be able to edit.

Change the Can grant access to field to either Selected modules, and choose from the list below the modules that the administrator is allowed to grant to new or edited users. There is not much point choosing modules that the sub-admin cannot already access.

Change Can rename users?, Can edit module access control?, Can request certificate?, Can configure user synchronization?, Can configure unix authentication?, Can view and cancel login sessions? And Can edit groups? To No. All the other yes/no fields can be set to Yes.

Change the Newly created users get field to *Same module access control as creator*. Because the sub-administrator is not allowed to edit the access control settings of modules that he grants to other users, they will always get the same settings that he does.

To force all new and edited users to be a member of a single group, change the Can assign users to groups field to Selected and choose the group from the list below. Or to prevent the sub-admin from choosing any group, select the <None> option. It may make sense for you to allow the creation of users who must be members of a group which has been set up with the appropriate restricted modules and permissions. If so, in step 4 you should not select any modules at all from the list so that only those from the group are available to created users.

Click the Save button to return to the module's main page.

If you are not forcing all new users to be a member of a particular group, make sure that the access control settings in other modules for the sub-administrator have been set correctly. They will be inherited by any new users that he creates.

The Webmin Users access control settings can also be configured to allow a user to change some of his own settings, but not edit other users or grant himself additional privileges. To set this up, the steps to follow are:

Click on Webmin Users next to the name of the user or group to whom you want to grant the rights to edit himself. Naturally, the user must have already been granted access to the module.

Change Can edit module configuration? to No.

Set the Users who can be edited option to This user.

Set the Can grant access to field to Selected modules, but do not select any from the list below. This will prevent the user from giving himself any additional module access.

Change Can request certificate?, Can change language?, Can change categorization? and Can change personal theme? to Yes, and all of the other yes/no fields to No.

Change Can edit groups? to No, and set *Can assign users to groups?* to Selected but do not select any from the list.

Finally, click Save. The Webmin user will now be able to use the module to change only his own password, language, theme and categorization mode, and request a client-side SSL certificate.

Configuring the Webmin Users module

The Webmin Users module has several options that can be configured by clicking on the Module Config link on the main page. The editable
fields and their meanings are: